Summary of the invention
The invention provides a kind of malicious code detecting method and system, solved based on the binary features code unknown virus is not had to detectability and the slow problem of heuristic detection speed, and improved cross-platform detectability.
A kind of malicious code detecting method comprises:
A. load at least one virus characteristic storehouse, inclusion test point in described virus characteristic storehouse, sign, feature and the testing result corresponding with check point;
B. in the analyzing and testing file destination, whether include the check point in described virus characteristic storehouse, if the appearance of corresponding check point, record all signs corresponding with check point;
C. according to the matching way in virus characteristic storehouse, judge whether to carry out conversion processing to sign, if need, sign is transformed, otherwise directly perform step d;
D. judge whether to shorten processing, if the length of the sign after all signs or conversion exceeds preset value, the sign after all signs or conversion is carried out to the calculating of one or many hash, otherwise directly perform step e;
E. using all after identifying, transforming sign or the feature of sign in the appointment virus characteristic storehouse of feature and loading shortened after processing carry out matching detection, obtain testing result;
F. judge whether to need secondary detection, need to carry out secondary detection if the feature in the virus characteristic storehouse is default, use next virus characteristic storehouse to start again to detect from step a, otherwise the report testing result.
In described method, also comprised before execution step a, set up the virus characteristic storehouse:
Determine check point, detect the file in sample set according to check point;
By detected check point combination in file, be defined as the feature in the virus characteristic storehouse;
In described method, described check point comprises at least: the testing result of environmental information and known detection method under the binary string of specifying or not specifying Offsets, file attribute information, document structure information, file.
In described method, in described step c, sign is transformed to one or more the combination comprised in following methods:
Whole bytes or the partial bytes of sign are connected to the feature string;
Each sign is converted into to bit, and the flag that check point occurs is 1, and the flag that check point does not occur is 0.
If mate in the usage data storehouse, sign can be connected to the feature string; If use the traditional characteristic storehouse to mate, each sign can be converted into to bit; Or two kinds of methods are combined with.
In described method, in step e using all after identifying, transforming sign or shorten the feature of sign in the appointment virus characteristic storehouse of feature and loading after processing and carry out the method for matching detection and comprise:
Use local virus characteristic storehouse coupling maybe by all after identifying, transforming sign or shorten the virus characteristic storehouse that sign after processing sends to server end and mate, if the match is successful, be defined as virus document, otherwise be non-viral file.
In described method, can increase check point and feature quantity by increasing new virus characteristic storehouse.
A kind of malicious code detection system comprises:
Virus characteristic storehouse loading unit, be used to loading at least one virus characteristic storehouse, inclusion test point in described virus characteristic storehouse, sign, feature and the testing result corresponding with check point;
Whether the file analysis unit, include the check point in the virus characteristic storehouse that virus characteristic storehouse loading unit loads for the analyzing and testing file destination, if corresponding check point occur, record all signs corresponding with check point;
The conversion processing unit, for the matching way according to the virus characteristic storehouse, judge whether to carry out conversion processing to the sign that the file analysis unit inspection goes out, if need, all signs transformed, otherwise enter the shortening processing unit;
Shorten processing unit, for judging whether to shorten processing, if the length of the sign after all signs that the file analysis unit is detected or conversion processing unit transform exceeds preset value, the sign after all signs or conversion is carried out to the calculating of one or many hash, otherwise enter the characteristic matching unit;
The characteristic matching unit, the feature in the appointment virus characteristic storehouse that the sign after the sign after transforming for all signs, the conversion processing unit that the file analysis unit inspection is gone out or the shortening of shortening processing unit are processed and virus characteristic storehouse loading unit load is carried out matching detection, obtains testing result;
The secondary detection judging unit, whether the testing result of judging characteristic matching unit needs secondary detection, need to carry out secondary detection if the feature in the virus characteristic storehouse is default, and use next virus characteristic storehouse to detect again and detect, otherwise the report testing result.
In described system, also comprised before virus characteristic storehouse loading unit loads the virus characteristic storehouse, set up the virus characteristic library unit, comprising:
Determine check point, detect the file in sample set according to check point;
By detected check point combination in file, be defined as the feature in the virus characteristic storehouse;
In described system, the check point in the virus characteristic storehouse that described virus characteristic storehouse loading unit loads comprises at least: the testing result of environmental information and known detection method under the binary string of specifying or not specifying Offsets, file attribute information, document structure information, file.
In described system, described conversion processing unit transforms all signs that the file analysis unit inspection goes out, and comprises one or more the combination in following methods:
Whole bytes or the partial bytes of sign are connected to the feature string;
Each sign is converted into to bit, and the flag that check point occurs is 1, and the flag that check point does not occur is 0.
In described system, the method that the feature in the sign after the sign after all signs that the shortening processing unit goes out the file analysis unit inspection, conversion processing unit transform or the shortening of shortening processing unit are processed and the appointment virus characteristic storehouse of virus characteristic storehouse loading unit loading is carried out matching detection comprises:
Use local virus characteristic storehouse mate maybe by all after identifying, transforming sign or shorten the virus characteristic storehouse that sign after processing sends to server end and mate, if the match is successful, be defined as virus document, otherwise be non-viral file.
In described system, can increase check point and feature quantity by increasing new virus characteristic storehouse.
This relates to the computer anti-virus field, and a kind of malicious code detecting method and system are provided.The present invention combines binary features code and heuristic detection, using the method for Unknown Computer Virus Detection as unique point, loads virus characteristic storehouse and check point and detects sign; The analyzing and testing target, if corresponding check point sign is recorded in the check point appearance; Judge whether to carry out conversion processing and to shorten and process sign; The characteristic matching of result in the virus characteristic storehouse of feature and loading after processing; Judge whether to carry out secondary detection, if need to use next virus characteristic storehouse to detect, otherwise report the result.By the present invention, the method that the unknown is detected, as unique point, improves unknown detection speed with traditional characteristic matching, has solved the slow problem of unknown detection speed, and the while obtains with detection method and separates due to feature, has improved cross-platform detectability.The present invention can also be by increasing feature quantity and new check point enhancing detectability, and increasing new check point can realize by increasing new virus characteristic storehouse, does not change original detection model, has strengthened the maintainability of detection model.
Embodiment
In order to make those skilled in the art person understand better the technical scheme in the embodiment of the present invention, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail.
The invention provides a kind of malicious code detecting method and system, solved based on the binary features code unknown virus is not had to detectability and the slow problem of heuristic detection speed, and improved cross-platform detectability.
A kind of malicious code detecting method as shown in Figure 1, comprising:
S101: load at least one virus characteristic storehouse, inclusion test point in described virus characteristic storehouse, sign, feature and the testing result corresponding with check point;
S102: whether include the check point in described virus characteristic storehouse in the analyzing and testing file destination, if the appearance of corresponding check point, the record all signs corresponding with check point;
S103: according to the matching way in virus characteristic storehouse, judge whether to carry out conversion processing to sign, if need, carry out S104, otherwise directly carry out S105;
S104: all signs are transformed;
S105: judge whether to shorten processing, if the length of the sign after all signs or conversion exceeds preset value, carry out S106, otherwise directly carry out S107;
S106: the sign after all signs or conversion is carried out to the calculating of one or many hash;
S107: using all after identifying, transforming sign or the feature of sign in the appointment virus characteristic storehouse of feature and loading shortened after processing carry out matching detection, obtain testing result;
S108: judge whether to need secondary detection, need to carry out secondary detection if the feature in the virus characteristic storehouse is default, use next virus characteristic storehouse to start again to detect from S102, otherwise the report testing result.
In described method, also comprised before carrying out S101, set up the virus characteristic storehouse:
Determine check point, detect the file in sample set according to check point;
By detected check point combination in file, be defined as the feature in the virus characteristic storehouse;
In described method, described check point comprises at least: the testing result of environmental information and known detection method under the binary string of specifying or not specifying Offsets, file attribute information, document structure information, file.
In the situation that specify the binary string skew, after skew, file comprises that the binary string of appointment is check point and occurs; In the situation that do not specify the binary string skew, the binary string that comprises appointment in file is check point and occurs.
The attribute information of file can comprise: file attribute is for hiding; For newly creating file, the creation-time that deducts file as the current time is in 72 hours, assert that file is for newly creating file; In filename, letter is obscured with numeral, as 0,1 and O, I; File is digital filename, as 123.exe; File contains double extension, as aaa.rmvb.exe; Automatically operating file, and content points to the exe file; Filename, derive name, version information primitive name and do not mate etc.
Document structure information can comprise: it is folded that DOS head and PE are nose heave, is less than sizeof (IMAGE_DOS_HEADER) as the e_lfanew value in the DOS head; Entrance is less than SizeOfHaders; Entrance is 0, and the data behind entrance are 0x4552; The joint number amount is greater than NumberOfSections field in 20, FileHeader and is greater than 20; SizeOfImage does not line up; Import the relativity shift value of table; In additional data, contain PE; Contain TLS table etc.
Under file, environmental information can comprise: the source of file; Whether by alternative document, comprised; Whether by certain process operation etc.
Utilize selected check point to detect sample set, for example 150,000 parts of paper sample collection are detected, obtain 538 kinds of check points combinations, choose and can illustrate it is that the check point combination of malicious file is as the feature in the virus characteristic storehouse.
In described method, in described S104, sign is transformed to one or more the combination comprised in following methods:
Whole bytes or the partial bytes of sign are connected to the feature string;
Each sign is converted into to bit, and the flag that check point occurs is 1, and the flag that check point does not occur is 0.
If mate in the usage data storehouse, sign can be connected to the feature string; If use the traditional characteristic storehouse to mate, each sign can be converted into to bit; Or two kinds of methods are combined with.
In described method, in S107 using all after identifying, transforming sign or shorten the feature of sign in the appointment virus characteristic storehouse of feature and loading after processing and carry out the method for matching detection and comprise:
Use local virus characteristic storehouse coupling maybe by all after identifying, transforming sign or shorten the virus characteristic storehouse that sign after processing sends to server end and mate, if the match is successful, be defined as virus document, otherwise be non-viral file.
In described method, can increase check point and feature quantity by increasing new virus characteristic storehouse.
A kind of malicious code detection system comprises:
Virus characteristic storehouse loading unit 201, be used to loading at least one virus characteristic storehouse, inclusion test point in described virus characteristic storehouse, sign, feature and the testing result corresponding with check point;
Whether file analysis unit 202, include the check point in the virus characteristic storehouse that virus characteristic storehouse loading unit 201 loads for the analyzing and testing file destination, if corresponding check point occur, record all signs corresponding with check point;
Conversion processing unit 203, for the matching way according to the virus characteristic storehouse, judge whether to carry out conversion processing to the detected sign in file analysis unit 202, if need, all signs transformed, and shortens processing unit 204 otherwise enter;
Shorten processing unit 204, for judging whether to shorten processing, if the length of the sign after all signs that file analysis unit 202 is detected or conversion processing unit 203 transform exceeds preset value, the sign after all signs or conversion is carried out to the calculating of one or many hash, otherwise enter characteristic matching unit 205;
Characteristic matching unit 205, the feature in the sign after the sign after being used for the detected all signs in file analysis unit 202, conversion processing unit 203 are transformed or 204 shortenings of shortening processing unit are processed and the appointment virus characteristic storehouse of virus characteristic storehouse loading unit 201 loadings is carried out matching detection, obtains testing result;
Secondary detection judging unit 206, whether the testing result of judging characteristic matching unit needs secondary detection, need to carry out secondary detection if the feature in the virus characteristic storehouse is default, and use next virus characteristic storehouse to detect again and detect, otherwise the report testing result.
In described system, also comprised before virus characteristic storehouse loading unit 201 loads the virus characteristic storehouse, set up virus characteristic library unit 207, comprising:
Determine check point, detect the file in sample set according to check point;
By detected check point combination in file, be defined as the feature in the virus characteristic storehouse;
In described system, the check point in the virus characteristic storehouse that described virus characteristic storehouse loading unit 201 loads comprises at least: the testing result of environmental information and known detection method under the binary string of specifying or not specifying Offsets, file attribute information, document structure information, file.
In described system, described conversion processing unit 203 transforms the detected all signs in file analysis unit 202, comprises one or more the combination in following methods:
Whole bytes or the partial bytes of sign are connected to the feature string;
Each sign is converted into to bit, and the flag that check point occurs is 1, and the flag that check point does not occur is 0.
In described system, the method that the feature in the appointment virus characteristic storehouse that the sign after shortening the sign after processing unit 204 transforms the detected all signs in file analysis unit 202, conversion processing unit 203 or shortening processing unit 204 shortening processing and virus characteristic storehouse loading unit 201 load is carried out matching detection comprises:
Use local virus characteristic storehouse mate maybe by all after identifying, transforming sign or shorten the virus characteristic storehouse that sign after processing sends to server end and mate, if the match is successful, be defined as virus document, otherwise be non-viral file.
In described system, can increase check point and feature quantity by increasing new virus characteristic storehouse.
This relates to the computer anti-virus field, and a kind of malicious code detecting method and system are provided.The present invention combines binary features code and heuristic detection, using the method for Unknown Computer Virus Detection as unique point, loads virus characteristic storehouse and check point and detects sign; The analyzing and testing target, if corresponding check point sign is recorded in the check point appearance; Judge whether to carry out conversion processing and to shorten and process sign; The characteristic matching of result in the virus characteristic storehouse of feature and loading after processing; Judge whether to carry out secondary detection, if need to use next virus characteristic storehouse to detect, otherwise report the result.By the present invention, the method that the unknown is detected, as unique point, improves unknown detection speed with traditional characteristic matching, has solved the slow problem of unknown detection speed, and the while obtains with detection method and separates due to feature, has improved cross-platform detectability.The present invention can also be by increasing feature quantity and new check point enhancing detectability, and increasing new check point can realize by increasing new virus characteristic storehouse, does not change original detection model, has strengthened the maintainability of detection model.
Although described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, wish that appended claim comprises these distortion and variation and do not break away from spirit of the present invention.